Wipro for data localisation, differs from Nasscom stand

While Nasscom calls for data rules based on open internet, IT firm feels localisation needed for safety.

“We believe that this data localisation requirement is crucial as it enables storing of information and data domestically especially sensitive and personal data,” Wipro stated.

BENGALURU: Wipro has favoured mandatory domestic incorporation and data localisation for technology intermediaries that generate and collect sensitive and personal data and data critical to national security, economy, public health or safety in order to enable government access in the event of a cyber breach.

Wipro’s response was in stark contrast to software lobby group National Association of Software and Services Companies (Nasscom), which said local incorporation requirement is arbitrary, goes against the ethos of free and open internet, reduces competition in the digital economy, acts as a disincentive to enter India and gives rise to tax concerns.

Wipro and Nasscom were responding to amendments proposed by the Ministry of Electronics and IT (MeitY) to Information Technology (Intermediaries Guidelines) Rules under Section 79 of the Information Technology Act. The IT Act currently provides a legal shield for technology intermediaries such as internet service providers, online payment sites, ecommerce sites and social media companies.

Apart from stringent rules regarding tracing messages, law enforcement assistance and takedown requests without judicial oversight, the government in December proposed that all platforms with more than fifty lakh users must have a registered entity in India.

“We believe that this data localisation requirement is crucial as it enables storing of information and data domestically especially sensitive and personal data and data that is generated and collected by operators of critical information infrastructures which facilitates easy access and quicker remedial responses in case of occurrence of a cyber incident,” Wipro stated in its submission.

The IT Act says critical information infrastructure means the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety.

“That’s a prudent approach to take as India is poorly prepared to deal with cyber-security breaches. We don’t have a strong cyber security law. If such breaches take place, there could be ramifications on the sovereignty of our country,” said Pavan Duggal, a top cyber law expert and a Supreme Court lawyer.

Nasscom, which is chaired by Rishad Premji, chief strategy officer of Wipro, didn’t comment on data localisation with respect to technology intermediaries. However, it has previously raised concerns on the draft bill on data protection submitted by the Srikrishna panel which disallows cross-border transfer of all critical personal data and mandated that a live copy of data pertaining to Indian citizens be kept on servers in the country by all companies, at all times.

Wipro, in its submission to MeitY, said the same requirement on local incorporation has also been adopted and utilised in various other jurisdictions such as EU member states — the UK, Netherlands and Germany.

In these countries, Wipro said, digital service providers are subject to their respective domestic Cybersecurity Act only if their main establishment is located within the territory of the country, or have a representative appointed in the member state in which they offer their services.